As I understand, the client is checking if the certificate has the flags 00a0 (KU_DIGITAL_SIGNATURE, KU_KEY_ENCIPHERMENT).
It finds out that the certificate has the flags 00a8 (KU_DIGITAL_SIGNATURE, KU_KEY_ENCIPHERMENT, KU_KEY_AGREEMENT).
But 00a8 contains 00a0? So what's the problem???